[Bug 216073] [s390x] kernel BUG at mm/usercopy.c:101! usercopy: Kernel memory exposure attempt detected from vmalloc 'n o area' (offset 0, size 1)!

All the mail mirrored from lore.kernel.org
 help / color / mirror / Atom feed

From: bugzilla-daemon@kernel.org
To: linux-xfs@vger.kernel.org
Subject: [Bug 216073] [s390x] kernel BUG at mm/usercopy.c:101! usercopy: Kernel memory exposure attempt detected from vmalloc 'n  o area' (offset 0, size 1)!
Date: Sun, 05 Jun 2022 05:32:21 +0000	[thread overview]
Message-ID: <bug-216073-201763-aTV8ZfvA20@https.bugzilla.kernel.org/> (raw)
In-Reply-To: <bug-216073-201763@https.bugzilla.kernel.org/>

https://bugzilla.kernel.org/show_bug.cgi?id=216073

--- Comment #2 from Zorro Lang (zlang@redhat.com) ---
Default xfs (no specified mkfs options) can reproduce this bug with xfstests
xfs/294. The decode_stacktrace.sh output as below[1], HEAD=032dcf09e ("Merge
tag 'gpio-fixes-for-v5.19-rc1' of
git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux")

[1]
# ./scripts/decode_stacktrace.sh vmlinux < console.log
[30523.215443] run fstests xfs/294 at 2022-06-05 00:40:48
[30525.371171] XFS (loop1): Mounting V5 Filesystem
[30525.388258] XFS (loop1): Ending clean mount
[30574.012385] restraintd[1854]: *** Current Time: Sun Jun 05 00:41:38 2022 
Loc
alwatchdog at: Mon Jun 06 16:13:37 2022
[30604.239628] usercopy: Kernel memory exposure attempt detected from vmalloc
'n
o area' (offset 0, size 1)!
[30604.239677] ------------[ cut here ]------------
[30604.239679] kernel BUG at mm/usercopy.c:101!
[30604.239731] monitor event: 0040 ilc:2 [#1] SMP
[30604.239774] Modules linked in: ext2 overlay dm_zero dm_log_writes
dm_thin_poo
l dm_persistent_data dm_bio_prison sd_mod t10_pi crc64_rocksoft_generic
crc64_ro
cksoft crc64 sg dm_snapshot dm_bufio ext4 mbcache jbd2 dm_flakey tls loop lcs
ct
cm fsm zfcp scsi_transport_fc dasd_fba_mod rfkill vfio_ccw mdev
vfio_iommu_type1
zcrypt_cex4 vfio sunrpc drm i2c_core fb fuse font drm_panel_orientation_quirks
xfs libcrc32c ghash_s390 prng aes_s390 des_s390 sha3_512_s390 sha3_256_s390
qeth
_l2 bridge stp llc dasd_eckd_mod dasd_mod qeth qdio ccwgroup dm_mirror
dm_region
_hash dm_log dm_mod pkey zcrypt [last unloaded: scsi_debug]
5.18.0+ #1
[30604.240048] Hardware name: IBM 8561 LT1 400 (z/VM 7.2.0)
[30604.240155] Krnl PSW : 0704d00180000000 00000000255ca85a
(usercopy_abort+0xaa
/0xb0)
[30604.240177]            R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0
RI:
0 EA:3
[30604.240188] Krnl GPRS: 0000000000000001 001c000018090e00 000000000000005c
000
0000000000004
[30604.240196]            001c000000000000 00000000249b2024 00000000257cb1a0
001
bff8000000000
[30604.240204]            0000000000000001 0000000000000001 0000000000000000
000
00000257cb1e0
[30604.240213]            0000000025d8d070 00000000973502c0 00000000255ca856
001
bff80041af730
[30604.240231] Krnl Code: 00000000255ca84c: b9040031 lgr %r3,%r1

Code starting with the faulting instruction
===========================================
[30604.240231]            00000000255ca850: c0e5ffffbbfc        brasl  
%r14,000
00000255c2048
[30604.240231]           #00000000255ca856: af000000            mc      0,0
[30604.240231]           >00000000255ca85a: 0707                bcr     0,%r7
[30604.240231]            00000000255ca85c: 0707                bcr     0,%r7
[30604.240231]            00000000255ca85e: 0707                bcr     0,%r7
[30604.240231]            00000000255ca860: c0040007b0a4        brcl   
0,000000
00256c09a8
[30604.240231]            00000000255ca866: eb6ff0480024        stmg   
%r6,%r15
,72(%r15)
[30604.240369] Call Trace:
[30604.240375] usercopy_abort (??:?) 
[30604.240382] usercopy_abort (mm/usercopy.c:101 (discriminator 24)) 
[30604.240400] check_heap_object (mm/usercopy.c:180) 
[30604.240409] __check_object_size (mm/usercopy.c:123 mm/usercopy.c:255
mm/usercopy.c:214) 
[30604.240415] filldir64 (./include/linux/uaccess.h:108 fs/readdir.c:339) 
[30604.240424] xfs_dir2_leaf_getdents (./include/linux/fs.h:3430
fs/xfs/xfs_dir2_readdir.c:472) xfs
[30604.240830] xfs_readdir (fs/xfs/xfs_dir2_readdir.c:547) xfs
[30604.241036] iterate_dir (fs/readdir.c:65) 
[30604.241042] __do_sys_getdents64 (fs/readdir.c:369) 
[30604.241047] do_syscall (arch/s390/kernel/syscall.c:144 (discriminator 1)) 
[30604.241053] __do_syscall (arch/s390/kernel/syscall.c:169) 
[30604.241058] system_call (arch/s390/kernel/entry.S:335) 
[30604.241064] INFO: lockdep is turned off.
[30604.241067] Last Breaking-Event-Address:
[30604.241070] _printk (kernel/printk/printk.c:2426) 
[30604.241077] ---[ end trace 0000000000000000 ]---
[30609.984847] usercopy: Kernel memory exposure attempt detected from vmalloc
'n
o area' (offset 0, size 1)!
[30609.984894] ------------[ cut here ]------------
[30609.984896] kernel BUG at mm/usercopy.c:101!
[30609.984945] monitor event: 0040 ilc:2 [#2] SMP
[30609.984984] Modules linked in: ext2 overlay dm_zero dm_log_writes
dm_thin_poo
l dm_persistent_data dm_bio_prison sd_mod t10_pi crc64_rocksoft_generic crc64_r
cksoft crc64 sg dm_snapshot dm_bufio ext4 mbcache jbd2 dm_flakey tls loop lcs
ct
cm fsm zfcp scsi_transport_fc dasd_fba_mod rfkill vfio_ccw mdev
vfio_iommu_type1
zcrypt_cex4 vfio sunrpc drm i2c_core fb fuse font drm_panel_orientation_quirks
xfs libcrc32c ghash_s390 prng aes_s390 des_s390 sha3_512_s390 sha3_256_s390
qeth
_l2 bridge stp llc dasd_eckd_mod dasd_mod qeth qdio ccwgroup dm_mirror
dm_region
_hash dm_log dm_mod pkey zcrypt [last unloaded: scsi_debug]
5.18.0+ #1
[30609.985151] Hardware name: IBM 8561 LT1 400 (z/VM 7.2.0)
[30609.985211] Krnl PSW : 0704d00180000000 00000000255ca85a
(usercopy_abort+0xaa
/0xb0)
[30609.985249]            R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0
RI:
0 EA:3
[30609.985258] Krnl GPRS: 0000000000000001 001c000018090e00 000000000000005c
000
0000000000004
[30609.985264]            001c000000000000 00000000249b2024 00000000257cb1a0
001
bff8000000000
[30609.985271]            0000000000000001 0000000000000001 0000000000000000
000
00000257cb1e0
[30609.985276]            0000000025d8d070 00000000a2d652c0 00000000255ca856
001
bff800810f668
[30609.985293] Krnl Code: 00000000255ca84c: b9040031 lgr %r3,%r1

Code starting with the faulting instruction
===========================================
[30609.985293]            00000000255ca850: c0e5ffffbbfc        brasl  
%r14,000
00000255c2048
[30609.985293]           #00000000255ca856: af000000            mc      0,0
[30609.985293]           >00000000255ca85a: 0707                bcr     0,%r7
[30609.985293]            00000000255ca85c: 0707                bcr     0,%r7
[30609.985293]            00000000255ca85e: 0707                bcr     0,%r7
[30609.985293]            00000000255ca860: c0040007b0a4        brcl   
0,000000
00256c09a8
[30609.985293]            00000000255ca866: eb6ff0480024        stmg   
%r6,%r15
,72(%r15)
[30609.985340] Call Trace:
[30609.985345] usercopy_abort (??:?) 
[30609.985352] usercopy_abort (mm/usercopy.c:101 (discriminator 24)) 
[30609.985358] check_heap_object (mm/usercopy.c:180) 
[30609.985367] __check_object_size (mm/usercopy.c:123 mm/usercopy.c:255
mm/usercopy.c:214) 
[30609.985374] filldir64 (./include/linux/uaccess.h:108 fs/readdir.c:339) 
[30609.985383] xfs_dir2_leaf_getdents (./include/linux/fs.h:3430
fs/xfs/xfs_dir2_readdir.c:472) xfs
[30609.985780] xfs_readdir (fs/xfs/xfs_dir2_readdir.c:547) xfs
[30609.986002] iterate_dir (fs/readdir.c:65) 
[30609.986009] __do_sys_getdents64 (fs/readdir.c:369) 
[30609.986017] do_syscall (arch/s390/kernel/syscall.c:144 (discriminator 1)) 
[30609.986026] __do_syscall (arch/s390/kernel/syscall.c:169) 
[30609.986033] system_call (arch/s390/kernel/entry.S:335) 
[30609.986041] INFO: lockdep is turned off.
[30609.986046] Last Breaking-Event-Address:
[30609.986050] _printk (kernel/printk/printk.c:2426) 
[30609.986059] ---[ end trace 0000000000000000 ]---
[30610.050449] XFS (loop0): Unmounting Filesystem

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching someone on the CC list of the bug.

next prev parent reply	other threads:[~2022-06-05  5:32 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <bug-216073-201763@https.bugzilla.kernel.org/>
2022-06-05  1:01 ` [Bug 216073] [s390x] kernel BUG at mm/usercopy.c:101! usercopy: Kernel memory exposure attempt detected from vmalloc 'n o area' (offset 0, size 1)! bugzilla-daemon
2022-06-05  5:32 ` bugzilla-daemon [this message]
2022-06-06 22:13 ` bugzilla-daemon
2022-06-07 15:05 ` bugzilla-daemon
2022-06-08  2:19 ` bugzilla-daemon
2022-06-08 19:13 ` bugzilla-daemon
2022-06-09  2:49 ` bugzilla-daemon
2022-06-11 10:19 ` bugzilla-daemon
2022-06-11 20:26 ` bugzilla-daemon
2022-06-12  4:42 ` bugzilla-daemon
2022-06-12 11:59 ` bugzilla-daemon
2022-06-12 13:03 ` bugzilla-daemon
2022-06-12 17:26 ` bugzilla-daemon
2022-06-12 18:00 ` bugzilla-daemon
2022-06-12 18:05 ` bugzilla-daemon
2022-06-12 18:44 ` bugzilla-daemon
2022-06-12 19:07 ` bugzilla-daemon
2022-06-12 19:52 ` bugzilla-daemon
2022-06-12 20:53 ` bugzilla-daemon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-216073-201763-aTV8ZfvA20@https.bugzilla.kernel.org/ \
    --to=bugzilla-daemon@kernel.org \
    --cc=linux-xfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.